Pattern8
๐ฑ AI Agent Governance Framework โ Constrain how AI Agents behave in your project. pip install pattern8
Ask AI about Pattern8
Powered by Claude ยท Grounded in docs
I know everything about Pattern8. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
Pattern 8 (P8)
Zero-Trust Governance Framework to stop AI Agents from hallucinating, breaking things, and bypassing your rules.
"Your prompt is merely a suggestion. P8 is the law."
Table of Contents
- The Problem
- Quick Start
- Architecture
- Project Structure
- How It Works: Law vs. Police
- The 5 Patterns
- Anatomy of a SKILL
- The 5 Built-in SKILLs
- MCP Enforcement Engine
- Data Flow
- CLI Reference
- IDE Integration
- Pre-commit Hooks
- Creating Custom SKILLs
- Contributing
- License
The Chaos vs. The Law
Are you tired of AI coding agents (Claude, Cursor, Devin) ignoring your instructions, deleting the wrong files, or pushing code without tests?
Prompts are not enough. Prompt injection defence is impossible. To truly control an agent, constraints must be enforced at the OS and code level.
โ Without P8 (The Chaos)
- Agent decides to skip writing tests because it's "too trivial".
- Agent runs
rm -rfby mistake during a multi-step refactor. - Agent outputs a feature without ever writing a design doc.
- Agent ignores your 5,000-word system prompt because its context window is full.
๐ก๏ธ With P8 (The Law)
- MCP SecurityGuard intercepts and blocks dangerous commands at the OS level.
- MCP Reviewer forces the agent into a strict retry-loop if output doesn't match the
template.yaml. - Pre-commit Hooks ensure the agent hasn't tampered with the rules themselves.
- Inversion Pattern forces the agent to stop and ask you clarifying questions instead of hallucinating.
โก Zero to Hero in 30 Seconds
Take absolute control of your codebase with 3 commands:
# 1. Install the enforcer (Python 3.8+)
pip install pattern8
# 2. Add handcuffs to your current project
p8 init
# 3. Done. Your Agents are now under control.
p8 list
๐ก For Chinese-language teams:
p8 init --lang zhgenerates all SKILL files with Chinese annotations.
๐๏ธ Architecture Overview
P8 is NOT an AI Agent framework. It does not call LLMs or drive pipelines.
P8 is a governance layer โ a set of enforceable rule files + a runtime enforcement engine that constrains how any AI Agent works on your project.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ YOUR PROJECT โ
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ ๐ LAW (Editable) โ โ ๐ POLICE (Read-Only Engine) โ โ
โ โ โ โ โ โ
โ โ skills/ โ โ src/p8/enforcement/ โ โ
โ โ โโโ prd/ โโโโ โ โโโ mcp_server.py (Gateway) โ โ
โ โ โโโ bug_fix/ โ โ โโโ security_guard.py (Block) โ โ
โ โ โโโ code_review/ โ โ โโโ reviewer.py (Audit) โ โ
โ โ โโโ refactor/ โ โ โ โ
โ โ โโโ feature_dev/ โ โ Runs as MCP stdio server โ โ
โ โ โ โ Agent โ MCP โ Police โ โ
โ โ AGENTS.md โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ .cursor/rules/*.mdc โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ ๐ HOOKS (Git-level) โ โ
โ โ hooks/pre-commit โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Key Insight: The Agent can read SKILL.md, checklist.yaml, and template.yaml (the "law"). But it cannot read guidelines.yaml or security.yaml (the "audit criteria"). This prevents the Agent from gaming the audit.
๐ Project Structure
pattern8/
โโโ src/p8/ # Python package (pip install pattern8)
โ โโโ __init__.py # Package metadata (version)
โ โโโ cli.py # CLI entry point (click-based)
โ โโโ enforcement/ # ๐ Enforcement engine
โ โโโ __init__.py
โ โโโ mcp_server.py # MCP protocol gateway (3 Resources + 2 Tools)
โ โโโ security_guard.py # OS-level command blocker (regex blacklist)
โ โโโ reviewer.py # Static rule audit engine (format + rules)
โ
โโโ skills/ # ๐ Built-in SKILL rules (English)
โ โโโ prd/ # Product Requirements Document
โ โ โโโ SKILL.md # Pipeline definition (frontmatter + steps)
โ โ โโโ assets/
โ โ โ โโโ checklist.yaml # Inversion: pre-flight questions
โ โ โ โโโ template.yaml # Generator: output format
โ โ โโโ references/
โ โ โโโ guidelines.yaml # ๐ Reviewer audit rules (hidden from Agent)
โ โ โโโ security.yaml # ๐ SecurityGuard blacklist (hidden from Agent)
โ โโโ bug_fix/ # Bug Fix (same structure)
โ โโโ code_review/ # Code Review (same structure)
โ โโโ feature_dev/ # Feature Development (same structure)
โ โโโ refactor/ # Refactoring (same structure)
โ
โโโ skills_zh/ # ๐ Built-in SKILL rules (Chinese)
โ โโโ (same structure as skills/)
โ
โโโ hooks/
โ โโโ pre-commit # ๐ Git hook: SKILL integrity + secret scan
โ
โโโ AGENTS.md # Global agent behavior instructions
โโโ .cursor/rules/
โ โโโ p8-enforcement.mdc # Cursor IDE injection rules
โ
โโโ tests/
โ โโโ test_p8.py # CLI + SKILL management tests
โ โโโ test_enforcement.py # SecurityGuard + Reviewer + MCP tests
โ
โโโ .github/workflows/
โ โโโ ci.yml # CI: pytest on Python 3.11-3.13 ร Ubuntu/macOS
โ
โโโ pyproject.toml # Build config (hatchling)
โโโ CONTRIBUTING.md # Contributor guide
โโโ CHANGELOG.md # Version history
โโโ LICENSE # MIT
๐ How It Works: Law vs. Police
P8 separates Law (editable rules) from Police (read-only execution engine):
Developer-editable (Law) Read-only Engine (Police)
โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SKILL.md โ โ SecurityGuard โ
โ checklist.yaml โ read โ โ โณ regex blacklist โ
โ template.yaml โ โ โณ OS command hooks โ
โ guidelines.yaml ๐ โ โ Reviewer โ
โ security.yaml ๐ โ โ โณ static rule engine โ
โ โ โ โณ P8AuditError rollback โ
โ "The Constitution" โ โ "The Police" โ
โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Agent calls via MCP โ
You write the Law in simple Markdown and YAML. The Police engine enforces them automatically via MCP (Model Context Protocol). Files marked with ๐ are deliberately hidden from the Agent so it cannot read the security parameters used to audit it.
๐ The 5 Enforcement Patterns
Every SKILL enforces 5 patterns in sequence. These are the backbone of P8's governance philosophy:
| # | Pattern | What It Does | Controlled By |
|---|---|---|---|
| 1 | Pipeline | Tasks execute in a strict ordered sequence. No step may be skipped. | SKILL.md |
| 2 | Inversion | Before starting, the Agent must verify all preconditions. If info is missing, it stops and asks โ no guessing. | assets/checklist.yaml |
| 3 | Generator | Output must follow a strict template. Every section must be filled. No freestyle. | assets/template.yaml |
| 4 | Tool Wrapper | Before executing OS commands, the Agent must pass through a security checkpoint. Blacklisted operations are rejected. | references/security.yaml ๐ |
| 5 | Reviewer | After completing output, a static audit engine scores the result. Non-compliant output triggers rollback + retry (up to 3ร). | references/guidelines.yaml ๐ |
Why are patterns 4 and 5 hidden? If the Agent can read the exact audit criteria, it can game the system by producing output that technically passes but is semantically garbage. By hiding them, the audit stays honest.
๐งฌ Anatomy of a SKILL
Each SKILL is a self-contained directory with 4 YAML config files and 1 Markdown pipeline definition:
skills/<skill_name>/
โโโ SKILL.md # Pipeline definition (YAML frontmatter + Markdown steps)
โโโ assets/
โ โโโ checklist.yaml # Pattern 2 โ Inversion: pre-flight checklist
โ โโโ template.yaml # Pattern 3 โ Generator: output format template
โโโ references/
โโโ guidelines.yaml # Pattern 5 โ ๐ Reviewer: audit rules
โโโ security.yaml # Pattern 4 โ ๐ SecurityGuard: command blacklist
SKILL.md โ The Pipeline Script
Uses YAML frontmatter to declare metadata + file references, then Markdown to define each pipeline step:
---
name: feature_dev
description: Constrains the Agent to follow structured feature development.
assets:
checklist: assets/checklist.yaml
template: assets/template.yaml
references:
guidelines: references/guidelines.yaml
security: references/security.yaml
---
Steps are wrapped in <PIPELINE> tags, with <HARD-GATE> for blocking conditions:
<PIPELINE>
## Step 1: Inversion (Requirements Alignment)
<HARD-GATE>
If the user has not provided acceptance criteria, you must block and ask.
</HARD-GATE>
## Step 2: Generator (Generate from Template)
Your output must strictly follow `assets/template.yaml`.
## Step 3: Tool Wrapper (Security Fence)
Commands must be checked against `references/security.yaml`.
## Step 4: Reviewer (Self-Audit Loop)
Audit against `references/guidelines.yaml`. Retry up to 3x if non-compliant.
</PIPELINE>
checklist.yaml โ What the Agent Must Verify
checklist:
- "Feature requirements are clearly described with user stories"
- "Technology stack and framework are specified"
- "Acceptance criteria are defined"
- "Edge cases and error scenarios are considered"
template.yaml โ What the Output Must Look Like
template: |
# Feature Development Report
## 1. Requirement Understanding
## 2. Technical Design
## 3. Implementation
## 4. Tests
## 5. Integration Notes
security.yaml โ What's Forbidden (๐ Hidden from Agent)
tool_security:
blacklist:
- "rm -rf *"
- "sudo *"
- "curl * | sh"
denied_paths:
- "/etc"
- "~/.ssh"
- "~/.aws"
max_shell_timeout: 30
guidelines.yaml โ How Output Is Scored (๐ Hidden from Agent)
Supports 4 rule types for static analysis:
| Rule Type | Description | Example |
|---|---|---|
regex_match | Must match a regex pattern | Code blocks must exist (\```) |
regex_exclude | Must NOT match a regex | No [TODO] or [placeholder] |
length_limit | Min/max character/line count | At least 150 chars, 8 lines |
format_verify | Required Markdown headings | Must have "Implementation", "Tests" |
๐ The 5 Built-in SKILLs
P8 comes with 5 industrial-grade developer SKILLs out of the box. Don't just code. Engineer.
๐ PRD (skills/prd/)
Don't just build. Think first.
Forces the agent to gather requirements and generate a structured Product Requirements Document before writing a single line of logic.
๐ Bug Fix (skills/bug_fix/)
Find the root cause, or don't fix it at all.
Forces the agent through a strict 4-step golden path: Reproduce โ Root Cause Analysis โ Fix โ Regression Test.
๐ Code Review (skills/code_review/)
Never merge unreviewed AI slop.
The agent must submit its changes to the Reviewer engine. If the code fails security, performance, or correctness guidelines, the engine throws a P8_AUDIT_FAILED error, forcing the agent to retry and fix its own mess (up to 3 times) before presenting it to you.
๐๏ธ Refactor (skills/refactor/)
Change structure, not behavior.
Forces the agent to guarantee functional equivalence test-passes after moving code around.
๐ Feature Dev (skills/feature_dev/)
End-to-end delivery. Requirements โ Technical Design โ Implementation โ Unit Tests.
๐ MCP Enforcement Engine Deep Dive
The enforcement engine (src/p8/enforcement/) runs as a MCP stdio server. When connected to an IDE (Cursor, Windsurf, Claude Desktop), it exposes:
Resources (Cognitive Base โ Agent reads on startup)
| URI | Description | Source File |
|---|---|---|
skill://index | Lists all available SKILLs with names and descriptions | Scans skills/*/SKILL.md |
skill://{name}/skill_md | Full SKILL.md pipeline definition | skills/{name}/SKILL.md |
skill://{name}/checklist | Inversion checklist items | skills/{name}/assets/checklist.yaml |
skill://{name}/template | Output template | skills/{name}/assets/template.yaml |
Tools (Enforcement Checkpoints โ Agent must call these)
execute_tool โ OS Command Sandbox
{
"command": "npm install lodash",
"path": "./src/",
"operation": "write",
"skill": "feature_dev"
}
Internal chain (invisible to Agent):
- Loads
references/security.yamlfor the specified SKILL SecurityGuard.check_command(command)โ matches against regex blacklistSecurityGuard.check_path(path, operation)โ validates path is allowed- Returns
{"allowed": true}or{"allowed": false, "action": "BLOCKED"}
submit_review โ Output Audit Gate
{
"content": "# Feature Development Report\n## 1. Requirement Understanding\n...",
"skill": "feature_dev"
}
Internal chain (invisible to Agent):
- Loads
references/guidelines.yaml(hidden audit rules) - Loads
assets/template.yaml(format reference) Reviewer.audit(content)runs 4 check types:- Format verify: Are all required Markdown headings present?
- Regex match/exclude: Do patterns match/not match?
- Length limit: Is the content long enough?
- All pass โ
{"passed": true, "score": 100, "status": "APPROVED"} - Any fail โ Throws
P8AuditErrorโ returnsP8_AUDIT_FAILED+ violation list
The Self-Correction Loop
Agent completes work
โ
โผ
submit_review()
โ
โโโโโดโโโโ
โ PASS? โ
โโโโโฌโโโโ
Yes โ No
โ โ โ
โผ โ โผ
APPROVED P8_AUDIT_FAILED
+ violation list
โ
โผ
Agent reads violations,
fixes its output,
resubmits (up to 3ร)
โ
โโโโโโดโโโโโ
โ 3 fails โ
โโโโโโฌโโโโโ
โผ
Agent reports failure
to user with details
๐ End-to-End Data Flow
Here's what happens when an Agent works on a task in a P8-governed project:
Step 1: Agent reads skill://index โ Discovers available SKILLs
Step 2: Agent reads skill://X/checklist โ Gets pre-flight checklist
Step 3: Agent verifies checklist items โ ASKS user if anything missing (Inversion)
Step 4: Agent reads skill://X/template โ Learns required output format
Step 5: Agent starts working...
โโ Before any OS command:
execute_tool(command, skill) โ SecurityGuard checks regex blacklist
โโ allowed: true โ proceed
โโ allowed: false โ BLOCKED, Agent must stop
Step 6: Agent finishes output
โโ submit_review(content, skill) โ Reviewer audits against hidden rules
โโ passed: true โ APPROVED, deliver to user
โโ P8_AUDIT_FAILED โ Agent self-corrects and resubmits (up to 3ร)
๐ ๏ธ CLI Reference
| Command | Description |
|---|---|
p8 init [target] | Initialize P8 in a project and generate the 5 default SKILLs |
p8 init --lang zh | Initialize with Chinese-language SKILL files |
p8 list | List all available SKILLs in the current project |
p8 validate <skill_path> | Validate SKILL file integrity (run after editing YAML) |
p8 new <skill_name> | Create a scaffold for a new custom SKILL |
p8 serve | Start the MCP enforcement server (stdio mode) |
p8 mcp-config --client cursor | Generate MCP config JSON for Cursor IDE |
p8 --version | Show installed version |
๐ IDE Integration
Cursor / Windsurf / Claude Desktop
To turn on the active "Police" enforcement engine, install the MCP extension:
# Full install with MCP server support
pip install 'pattern8[enforcement]'
# Generate MCP config for Cursor
p8 mcp-config --client cursor
Paste the output into .cursor/mcp.json. Now, every time the Cursor Agent tries to run a command or finish a task, it must pass through the P8 execute_tool and submit_review checkpoints.
How Cursor Rules Work
P8 also installs a .cursor/rules/p8-enforcement.mdc file that is automatically injected into every Agent conversation. This file instructs the Agent to:
- Read
skill://indexon startup to discover SKILLs - Call
execute_tool()before running any OS command - Call
submit_review()after completing a SKILL pipeline - Never read
guidelines.yamlorsecurity.yamldirectly - Never modify
skills/orAGENTS.mdwithout explicit user permission
AGENTS.md
The AGENTS.md file at the project root is a global instruction file read by Agents that support project-level config (Cursor, Windsurf, etc.). It tells the Agent to:
- Check
skills/for matching SKILLs before starting any task - Follow the 5-pattern pipeline strictly
- Respect security red lines as absolute hard constraints
๐ Pre-commit Hooks
P8 installs a Git pre-commit hook that runs automatically on every git commit:
# What the hook does:
1. Validates all SKILL file integrity (p8 validate)
2. Scans staged files for hardcoded secrets (API keys, passwords, tokens)
3. Blocks the commit if any issues are found
Install manually:
cp hooks/pre-commit .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
Or automatically via p8 init.
๐๏ธ Creating Custom SKILLs
# Scaffold a new SKILL
p8 new my_custom_skill
# This creates:
# skills/my_custom_skill/
# โโโ SKILL.md โ Edit pipeline steps
# โโโ assets/
# โ โโโ checklist.yaml โ Edit pre-flight questions
# โ โโโ template.yaml โ Edit required output format
# โโโ references/
# โโโ guidelines.yaml โ Edit audit rules
# โโโ security.yaml โ Edit command blacklist
Then edit each file to match your team's governance needs. Run p8 validate skills/my_custom_skill to check integrity.
๐งช Testing
# Install dev dependencies
pip install -e ".[dev]"
# Run all tests (59 tests, 100% coverage)
pytest tests/ -v
# Tests cover:
# - CLI commands (init, list, validate, new)
# - SecurityGuard (blacklist matching, path blocking)
# - Reviewer (format checking, rule auditing, P8AuditError)
# - MCP server (resource reading, tool routing)
CI runs automatically on every push/PR against main, testing on:
- Python: 3.11, 3.12, 3.13
- OS: Ubuntu, macOS
๐ค Contributing
We welcome completely new SKILLs! See CONTRIBUTING.md for architectural details and how to open a PR.
For Chinese developers looking to deep-dive into the source code, see ARCHITECTURE_zh-CN.md.
๐ License
MIT